Enterasys Networks 9034385 manual Procedures for Out-of-Band and Inline NAC

Page 73

Procedures for Out-of-Band and Inline NAC

Table 5-1 Security Domain Configuration Guidelines (continued)

Network Scenario

Examples

Security Domain Configuration

 

 

 

Area of the network that is configured to allow access only to specific end-systems or users.

Switches that provide access to only pre-configured end-systems and users in highly controlled environments, such as industrial automation networks.

For the NAC Gateway, reject all RADIUS authentication attempts. For the NAC Controller, set the Accept Policy to a highly restrictive policy or VLAN such as “Deny All.“

This allows the administrator to locally authorize specific MAC addresses or users by using MAC and user overrides, and rejecting all other connection attempts to the network.

Area of the network that provides access to a group of users or devices that pose a guaranteed low risk to the security and stability of the network.

Switches that provide network access to servers that are highly protected from attack through the implementation of firewalls as well as network-based and host-based IDS.

Switches that provide network access to end-systems that are highly managed and restricted from risky network behaviors, such as end-systems that are restricted from Internet access and always kept up- to-date with the latest anti-virus and anti-malware definitions. This may include devices restricted to communication on the private LAN, and data center or network IT operations devices.

Authorize connecting end-systems with a less restrictive set of network resources, and either don’t implement assessment, or implement assessment less frequently and with fewer parameters.

In NAC Manager, create a Security Domain with the following configuration attributes:

With the “Proxy RADIUS Request to a RADIUS Server” radio button selected, check the “Replace RADIUS Attributes with Accept Policy” option and specify a non-restrictive policy or VLAN in the Accept Policy field.

This allows the administrator to locally authorize MAC authentication requests and overwrite the policy information returned from the RADIUS server with a less restrictive policy or VLAN.

It should be noted that this configuration may open the network to security threats, and should be reviewed carefully before being implemented.

Area of the network that provides access to a group of users or devices that will be allocated a different set of network resources based on their location on the network.

Switches that provide access to both trusted and untrusted users on the network, such as conference rooms and cafeterias. These areas can be configured to restrict trusted user access to servers containing sensitive information. This protects against the possibility that an untrusted user obtains access to a trusted user's computer that is logged into the network, or that an untrusted user eavesdrops on sensitive material being viewed by adjacent trusted users.

Impose the level of authorization based on requirements of IT operations.

In NAC Manager, create a Security Domain with the following configuration attributes:

With the “Proxy RADIUS Request to a RADIUS Server” radio button selected, check the “Replace RADIUS Attributes with Accept Policy” option and specify a policy or VLAN in the Accept Policy field.

This allows the administrator to locally authorize MAC authentication requests and overwrite the policy information returned from the RADIUS server with a different policy based on the network location of an end- system.

Enterasys NAC Design Guide 5-9

Page 72 Page 74
Image 73
Page 72 Page 74
Contents Enterasys Page Page Page Contents Use Scenarios Design ProceduresDesign Planning Tables FiguresPage Related Documents Intended AudienceSupport@enterasys.com Getting HelpAuthentication NAC Solution OverviewKey Functionality DetectionDeployment Models AuthorizationAssessment RemediationModel 3 End-System Authorization with Assessment Model 2 End-System AuthorizationModel 1 End-system Detection and Tracking NAC Appliance NAC Solution ComponentsNAC Controller Appliance NAC Gateway ApplianceNAC Controller is available in two models NAC Gateway NAC Controller Appliance ComparisonDisadvantage Advantage NetSight NAC Manager NetSight ManagementRadius Server SummaryAssessment Server Summary Summary Overview Implementation Model 1 End-System Detection and TrackingOut-of-Band NAC Inline NAC Layer Features and ValueEnd-System and User Tracking Required and Optional Components Model 2 End-System AuthorizationInline NAC Device-Based Authorization Location-Based AuthorizationMAC Registration User-Based AuthorizationComponent Requirements for Authorization Model 3 End-System Authorization with Assessment Inline NAC Extensive Security Posture Compliance Verification Diverse Security Posture Compliance Verification Component Requirements for Authorization with Assessment Implementation Self-Service Remediation Required and Optional Components Enterasys NAC Deployment Models Value Use Scenarios Scenario 1 Intelligent Wired Access EdgeNAC Functions Policy-Enabled EdgeVLAN=Production RFC 3580 Capable EdgeScenario 1 Implementation Thin Wireless Edge Scenario 2 Intelligent Wireless Access EdgeRemediation Web User Laptop Thick Wireless Edge Scenario 2 Implementation Scenario 3 Non-intelligent Access Edge Wired and Wireless Layer 2 Wired LAN Scenario 3 Implementation Scenario 4 VPN Remote AccessScenario 4 Implementation VPN Remote Access EnterasysUse Scenario Summaries Summary and Appliance Requirements VPN remote access Identify the NAC Deployment Model Design PlanningIdentify the Intelligent Edge of the Network Survey the NetworkNetwork with Intelligent Edge Case #1 No authentication method is deployed on the network Evaluate Policy/VLAN and Authentication ConfigurationOverview of Supported Authentication Methods Case #2 Authentication methods are deployed on the networkEnd-System Capabilities Support of Multiple Authentication MethodsSupport for Multiple End-System Connection Authentication Considerations Authentication Support on Enterasys DevicesIdentify the Strategic Point for End-System Authorization Wireless LAN Wired LANThick Wireless Deployments Identify Network Connection MethodsThin Wireless Deployments Remote Access WANSite-to-Site VPN Identify Inline or Out-of-band NAC Deployment Remote Access VPNSummary Identify Required NetSight Applications Procedures for Out-of-Band and Inline NACDefine Network Security Domains Security Domain NAC ConfigurationsNAC Configuration Authorization NAC Configuration for a Security Domain Procedures for Out-of-Band and Inline NAC To the network Procedures for Out-of-Band and Inline NAC Procedures for Out-of-Band and Inline NAC Security Domain Configuration Guidelines for Assessment MAC Overrides Identify Required MAC and User OverridesMAC and User Override Configuration Procedures for Out-of-Band and Inline NAC Procedures for Out-of-Band and Inline NAC User Overrides Determine the Number of Assessment Servers Assessment Design ProceduresDetermine Assessment Server Location Identify Assessment Server ConfigurationIdentify Network Authentication Configuration Out-of-Band NAC Design ProceduresDetermine the Number of NAC Gateways NAC Gateway Redundancy Determine NAC Gateway Location Determine End-System Mobility Restrictions Identify Backend Radius Server InteractionPolicy Role Configuration Vlan ConfigurationDefine NAC Access Policies Assessment Policy and Quarantine Policy Configuration Failsafe Policy and Accept Policy ConfigurationAssessment Policy Policy Role Configuration in NetSight Policy ManagerQuarantine Policy Service for the Assessing RoleDetermine NAC Controller Location Inline NAC Design ProceduresUnregistered Policy Inline NAC Design Procedures Determine the Number of NAC Controllers Layer 2 NAC Controller Redundancy Define Policy Configuration NAC Deployment With an Intrusion Detection System IDS Additional ConsiderationsNAC Deployment With NetSight ASM Additional Considerations Design Procedures
Top Page Image Contents